[Snort-sigs] " ..MS Terminal Server no encryption.. " misfire?

Ben Dugdale ben.dugdale at ...2751...
Fri Aug 27 11:12:13 EDT 2004


The "... MS Terminal Server no encryption session initiation attmept"
rule seems to be misfiring.

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
MISC MS Terminal Server no encryption session initiation attmept
--
Sid:
2418
--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
Connect to a MS Server using rdesktop.

The rdesktop man page seems to indicate that default use is encrypted.

>From the rdesktop man page...

       -e     Disable encryption.  This option is only needed (and will only work) if  you
              have a French version of NT TSE.

       -E     Disable  encryption  from  client  to server.  This sends an encrypted login
              packet, but everything after  this  is  unencrypted  (including  interactive
              logins).

Either the rule is misfiring or rdesktop is not behaving as advertised. Evidence suggests a misfire.

--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:





More information about the Snort-sigs mailing list